Rootkit - A Malware Or Not?
What is a rootkit?
Rootkit – the name itself consists of two parts: Root and Kit. This program gives the intruder the “Root”, or a privilege of an administrator in the system. It can influence on many processes, though on itself, it is not malicious. Let us check in more details, what exactly the rootkit is, how it gets into the system, what it causes and how to fight with it.
First of all, as we already mentioned, it is NOT a malicious software. Why then all are so much afraid of it? Mostly, it is because of a backdoor, that it leaves in the system. You definitely remember those Hollywood films about smart guys who were breaking in the most protected systems by using the backdoor. Well, now we can say, that this is not an invention, nothing from the science fiction. This backdoor is the most unpleasant thing in case with a rootkit. This is a point of access to your system. Through it, the hacker can do many bad things, such as data theft, information collection and all other. Practically, it can manage your computer. In some cases, the backdoor is not needed, especially, if the main target of the software is information collection, or something else, that requires time. In such cases, not the backdoor is the main target, but the main thing is that the software stays undetected.
Rootkit allows to get access to the root, of the main user, or to provide constant not detectable presence on computer. In both cases, the software itself is not bad, but bad may be the reasons for which it is used. In some cases, it is used in a legitimate way, for example, upon a court order or in big corporations for special purposes.
The main principle of the rootkit functioning is modification of the software. What kind of modification? There are several kinds, and all of them are connected with security reasons. The first and, probably, the simplest modification is Patching. The thing is that an executable code of any software consists of a series of encoded statements, in bytes. They follow in a specific order. If this order is modified, then the logic of the software changes, too. Hence, the security is compromised.
The next way of software modification is called Easter Eggs. But the thing itself is far not as pleasant as the name. This is when the logic of the software is modified through the backdoor. In most cases, it is left by the programmer, who was the developer of the software. It is used mostly like a kind of a signature, that this program was developed by this programmer.
Spyware modifications – it is when one program modifies the software, and target of this modification is to infect the software. In this case, this is a malicious action.
Is a rootkit an exploit?
No, it is not. It is just a program, that gives access, but it can be easily used with an exploit. And well, it can incorporate a software exploit. A new way to install a rootkit is actually through an exploit. For example, through buffer overflow. Though a rootkit is not an exploit, but this is not only an advantage, but also a danger. As it is not malicious, none firewall is able to protect from it, and usually, an average level of anti malware is not able to detect it either. That is why, if you want to be completely protected, you shall take care to purchase an advanced antivirus and antimalware software.
Is rootkit a virus?
To start with, a virus is a program that is self-propagating in a system. The rootkit doesn’t self-propagate and doesn’t possess any kind of intelligence, it is under a complete control of the person who initiated the attack. That is why it can be used for legitimate control, when a controlling person has access only to a certain kind of data, and must not exceed the legitimate limits. Virus in such circumstances would be out of control. But, it is possible to design a worm, that is spreading via the exploit, and this is an efficient way to keep the virus / worm undetected for a long time. Usually, such method is used to collect information, as the virus cannot be detected for a long time, or, in some cases, it may contain a land-mine timer, so, after some time it will collapse without leaving any traits. The main thing, that the mission is completed and there is no other damage to the system where it was.
But, there is a trend to use software exploits to propagate viruses. This trend poses a huge danger to computers working on Windows OS, as such viruses are extremely difficult to detect. Even more dangerous is, that Windows has many bugs and exploits, and new and new are discovered. But if you were a hacker, with an intention to use those exploits, would you inform everybody about it? Of course, not. Moreover, you would do all possible to keep it in secret, as long as it is possible. That is why, if you know the rootkit technology, you will know better how to protect yourself and your system.
Rootkit – what kind is more dangerous?
Application rootkits – they change the user mode applications, usually it is done to hide themselves from detection
Kernel dome rootkits – they change kernel mode applications, the driver program code, to protect themselves from detection, too. These rootkits are more dangerous, because if there is a virus, that infected the system through this kind of a rootkit, then it is almost impossible to detect it.
Virtual machine rootkit – this rootkit turns itself in a Base operating system, while the system itself starts working as a Guest operating system. This is extremely dangerous, because for now, there is no way to detect, does the OS work as a Base or a Guest.
Though detecting a rootkit is really complicated, due to mentioned reasons, but there are some kinds of special advanced software that are able to do it. Rootkits become a part of the OS, that is why very efficient is a very simple method, like booting a good copy of the OS, like this, your system will be simply reinstalled, without a rootkit. What about usual antivirus programs, they are rather useless both in detection and removal of rootkits. For example, rootkits change files in the way, to not to be detected. And well, they aren’t viruses. But, nowadays exist advanced antivirus kinds of software with improved functionality, and they can even detect rootkits and fight them off.
The best way though is to take a snap of the newly installed OS and the OS that has been in use and is suspected to contain a rootkit. If there are any changes detected, it is a sign, that a rootkit is in your system. There are more advanced softwares that use artificial intelligence to detect any changes in the system. They are efficient in detection of rootkits, too. They use different algorithms to detect rootkits, the most popular among them are signature-based, similar ones are applied for viruses detection, integrity-based, in this case all files, kernel modules and processes are check to verify their binary integrity, taking a memory dump and parsing it for detection of anomalies, signatures or other trends that are due to a rootkit.
Even though there are kinds of software that are able to detect a rootkit, still, far not all of them can remove it. So, knowledge, that your system contains a rootkit, doesn’t help you too much and doesn’t provide much more security.
So, what antivirus / antimalware software provides at least something against rootkits? Is an ordinary software enough to be protected from this threat?
An ordinary software, doesn’t matter how advanced it is, doesn’t provide protection against rootkits, as rootkits aren’t malicious, those aren’t viruses or other malware.
McAfee and Symantec are the ordinary antivirus and antimalware softwares that can detect rootkits. They also provide some protection against installing of rootkits. But in general, required are special tools, to detect these tools and to remove them.
The most famous tool is chkrootkit, and its reputation is well proven. It performs detailed checkups for binary integrity, it checks kernel modules, inspect file modification validations. It works on Linux, too. That is why it is considered one of the most reliable tools of such kind and is a must tool in the portfolio of any administrator.
And this is of course not just an antivirus or antimalware software, this is a special tool. Such special tools can be divided into host based and network based. The first ones use the active defense system, and they are more dangerous for the rootkits, as they can not only detect, but also prevent the intrusion.
The most famous host based intrusion detection systems are:
- Blink, or eEye Digital Security
- Integrity Protection Driver
- Okena StormWatch
- Linux Intrusion Detection System
- WatchGuard ServerLock
These systems are the greatest threats for rootkits, as they not only detect them, but also prevent them from installing, and from any activities. Basically, whatever the rootkit is up to, it will be detected and stopped.
Network based intrusion detection systems are kind of not so reliable. They deal mostly with big data, and something as small as a rootkit will be noticed rarely, but if with it comes something that takes up much memory, then it will be detected and stopped, together with a rootkit.